[sudo-users] Disabling "sudo su" but allow everything else?
paul at cantle.me
Mon Aug 2 15:14:34 EDT 2010
I'd also look to disable /bin/vi (without the /etc/sudoers flag by adding it to the RESTRICTED alias) as users will be able to shell out of vi by default and get a root shell anyway (which will kind of make !SHELLS irrelevant).
Just my 2c worth.
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Jimmy Crackcorn
Sent: 02 August 2010 19:51
To: Rick_Steele at oxy.com
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Disabling "sudo su" but allow everything else?
Perfect, thanks Rick!
On Mon, Aug 2, 2010 at 11:04, <Rick_Steele at oxy.com> wrote:
> This works for me. See the entries for "RSS-TAW" and "LOCALACCTS". We use Centrify here and the RSS-TAW is a group of AD Accounts.
> Cmnd_Alias RESTRICTED= /bin/vi /etc/sudoers, /bin/su - root, /bin/su -
> , /usr/sbin/visudo Cmnd_Alias SHELLS= /bin/sh, /bin/ksh, /bin/bash,
> /bin/zsh, /bin/csh, /bin/tcsh, /usr/bin/login, /usr/bin/su Defaults mailto="Linux_Unix_Admin at oxy.com"
> Defaults mail_no_perms
> Defaults mail_no_user
> Defaults mailerpath=/usr/sbin/sendmail Defaults mailsub="***
> executed command via sudo on %h ***"
> Defaults mailerflags="-t"
> %admin ALL=(ALL) ALL
> User_Alias LOCALACCTS = xxxxxxx
> LOCALACCTS ALL = NOPASSWD: ALL , !SHELLS, !RESTRICTED
> %RSS-TAW ALL=(ALL) ALL , !SHELLS, !RESTRICTED
> Rick Steele
> Consultant, Enterprise Server Operations OXY Inc.
> 713-215-7836 Office; 832-744-5824 Cell, 713-215-7170 FAX THIS
> COMMUNICATION IS ONLY FOR THE USE OF THE INTENDED RECIPIENT. IT CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF OCCIDENTAL PETROLEUM CORPORATION OR ITS AFFILIATED CORPORATIONS. UNAUTHORIZED USE, DISTRIBUTION, OR DISCLOSURE IS PROHIBITED. IF YOU ARE NOT THE INTENDED RECIPIENT PLEASE NOTIFY THE SENDER.
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com
> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Jimmy Crackcorn
> Sent: Monday, August 02, 2010 11:59 AM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] Disabling "sudo su" but allow everything else?
> I know it's not the preferred way to go about doing things but I've
> got a group of people that ssh into systems with a designated user
> account and I want to allow them to do everything on the system other
> than doing a 'sudo su' and 'sudo su -'. I've tried the following but
> can't seem to get it to work:
> User_Alias OKGUYS = userone, usertwo
> Cmnd_Alias NON=!/usr/bin/sudo su, !/usr/bin/sudo su -
> OKGUYS ALL = NOPASSWD: ALL, NON
> Is there a way to actually do this?
> sudo-users mailing list <sudo-users at sudo.ws> For list information,
> options, or to unsubscribe, visit:
sudo-users mailing list <sudo-users at sudo.ws> For list information, options, or to unsubscribe, visit:
More information about the sudo-users